Apache BookKeeper security advisories
Security information for Apache BookKeeper
Reporting
Do you want disclose a potential security issue for Apache BookKeeper? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Java Client Uses Connection to Host that Failed Hostname Verification
CVE-2022-32531 [CVE] [CVE json] [OSV json]
Last updated: 2023-07-12T14:53:21.686Z
Affected
- Apache BookKeeper through 4.14.5
- Apache BookKeeper at 4.15.0
Description
The Apache Bookkeeper Java Client (before 4.14.6 and also 4.15.0) does not close the connection to the bookkeeper server when TLS hostname verification fails. This leaves
the bookkeeper client vulnerable to a man in the middle attack.
The problem affects BookKeeper client prior to versions 4.14.6 and 4.15.1.